Friday, July 25, 2014

EBS 12.2 -- Configuring SSL in Oracle E-Business Suite Release 12.2

Lets demonstrate a SSL implementation process in EBS 12.2.
What I mean by SSL implementation is configuring Clients Browser and EBS Web Services communicate through SSL. EBS uses FMW to communicate over ssl between its components.

Info:

Oracle Fusion Middleware supports SSL version 3, TLS version 1 and JKS-based keystores for components running under Java and Oracle Wallets for other components, such as the Oracle HTTP Server.

In the Web tier, We still use Oracle Wallet to store and manage our certification.. On the other hand; Java keystores can be used for building a secure communication to and from weblogic servers.

Other components (such as Oracle HTTP Server) continue to use the Oracle wallet as their storage mechanism.

Info:

Using Widcard is now certified with EBS 12.2.

Okay lets start;

We start by creating a Wallet.We open Oracle Wallet Manager by using the Applications's OS user account and ovm command; set your environment first, -- dont use owm from the Oracle 10.1.2 home..We need to use the owm in FMW home.

applmgr> export PATH=$FMW_HOME/webtier/bin:$FMW_HOME/oracle_common/bin:$PATH
applmgr> owm & (open the wallet manager in background .. note that you must have X window privileges , I mean with root xclock + ,and you must have necessary rpms installed on your system for example: LibXrender 32 bit :))

On the Oracle Wallet Manager Menu navigate to Wallet -> New.

Answer No to: “Your default wallet directory doesn't exist. Do you wish to create it now?”

The new wallet screen will now prompt you to enter a password for your wallet. Be sure to make the password something you will remember. You will need to use the password whenever you open the wallet with Oracle Wallet Manager, or perform operations on the wallet using the Command Line Interface. With auto login enabled processes submitted by the OS user who created the wallet, there is no need to supply the password to access the wallet. Click YES when prompted: “A new empty wallet has been created. Do you wish to create a certificate request at this time?”

Once we created our wallet, the OWM asks us if we want to create a certificate request.. We answer yes, and fill the form accordingly. ( We use the information that our customer provides, I mean OU, State,Country, Key Size etc..)

After creating our certificate request, we need to export it.

While exporting, note the directory name when prompted. This is the default directory of our wallet..

Declare a name for your csr , for example: server.crs and save.. It will create a server.csr file in your wallet directory: For example under : /apps/fs2/EBSapps/10.1.2/owm/wallets/applmgr. It will report the file as saved as below..

Okay, now we should send this to our customer , as they should submit this Certificate Authority to request a Server Certificate.

The process should be like this. It is documented like this, but sometimes we need to go beyond the documents..

I mean, if the customer has already acquired certification in .P12 file / format; we need to convert it.

open the newly created ewallet.p12 with Oracle wallet manager and in wallet menu, tick "autologin", then save. This creates cwallet.sso along side ewallet.p12.

So once we have a walid wallet (ewallet.p12 and an autologin file (cwallet.sso) ), we can continue with the SSL configuration.

While we are making our wallet autologin using Wallet Manager, we should also save our wallet in to the directory -> {s_web_ssl_directory}/Apache

Note that : curly braces are for the Autoconfig variables. You can find the value of them using ;cat $CONTEXT_FILE |grep variable_name

Note: If all trusted certificates that make up the chain of Server Certificate are not present in the wallet, adding the certificate will fail. When the wallet was created only the certificates for the most common CA’s were included automatically. Contact your Certificate Authority if you need to add their certificate, and save the provided file (for example as ca.crt) in the wallet directory. If your Certificate Authority provided an intermediate certificate (to complete the chain) then save the provided file (for example as intca.crt), this will need to be imported into Oracle Wallet Manager prior to importing the Server Certificate (server.crt if you used the example name).Okay, then we import our root and intermediate certificates in to the b64InternetCertificate.txt file..

adSyncContext.pl will propogate the changes, we just did from the Oracle Fusion Middleware Control Console to the context file variables.

Secondly , we open OAM(it can be done using vi editor from the OS) and control & change the following autoconfig variables if necessary;

SSL Related Variables in the Context File

Variable

Non-SSL Value

SSL Value

s_url_protocol

http

https

s_local_url_protocol

http

https

s_webentryurlprotocol

http

https

s_active_webport

same as s_webport

Verify the port, correct if required.

s_webssl_port

not applicable

Verify the port, correct if required.

s_https_listen_parameter

not applicable

Verify the port, correct if required.

s_login_page

url constructed with http protocol and s_webport

Verify the protocol and port, correct if required.

s_external_url

url constructed with http protocol and s_webport

Verify the protocol and port, correct if required.

Lastly, we shutdown our application services, and run autoconfig to make the system configured by considering the new variable values.. Autoconfig makes the SSL configurations System wide.. When the autoconfig is completed, we start our services..

So that's it.. We configured our EBS 12.2 environment to work with SSL.

Some importants notes about the SSL configuration in EBS 12.2:

After this configuration , we will reach our login page using https://hostname:ssl_port

Even if we use http://hostname:non_ssl_port to reach our login page, it will be redirected to the ssl enabled url https://hostname:ssl_port..

That is , Our non-ssl tcp port will be open. Note that : We can close it. We can change httpd.conf and comment out line starting with Listen , and restart Apache to do that.. On the other hand, I dont recommend it , because that port is kept open for those products that need to access some of their pages via the HTTP, and for the Oracle E-Business Suite Help System.

So in short , you will not be able to use EBS Help pages, if you close that non-ssl tcp port.

One last thing; With this configuration, our forms will be working in ssl, too.. It is becuase EBS uses servlet architecture in Forms communication layer .. So we dont need to do anything about the Forms. Forms will be communicating in https...

Wildcards can be used in the Certificates! .. Tested & Verified. A certificate with a servername *.ermandom.com works very well..

Oracle E-Business Suite Release 12.2 currently supports securing the communication between the end users browser and the data center. Securing OPMN wallet with Fusion Middleware Control Console is detailed in this document but securing the internal communication (Oracle Weblogic Managed Server and other components with Oracle HTTP Server) will be supported in a later release and detailed in this section when they become available.

I have used wildcard in EBS 12.2.. It is supported to use wildcard for enabling SSL on EBS 12.2Oracle E-Business Suite Release 12.2 deployment of Oracle WebLogic Server includes an enhancement to allow wildcard certificates.However, in order to make a wildcard certificate to work with the Oracle Wallet side, you need to do a different approach, as we did..

Reference Documents:

How to Import a Third Party Wallet into FMW 11g (11.1.1.X) (Doc ID 1268793.1) and How to Convert a Third Party Wallet to an Oracle Wallet in AS 10g (Doc ID 603622.1).

Importing wildcard certificate as Trusted certificate is not what you need to do.Your wildcard certificate should be imported as User certificate and its status should be ready.

The different approach that I mentioned above is->

get all your certificates imported to a pfx file and then convert yhe pfx file to Oracle Wallet.

In other words, get a .pfx file which includes all the certificates.Create oracle wallet from this pfx file (convert pfx to wallet)

It is not supported to use wildcard certificates for 12.1.1.If you want to use a wildcard certificate, offload the SSL processing to a Load Balancer or a frontend web server that can do wildcard based SSL processing.